7836 Commits

Author SHA1 Message Date
dependabot[bot] 681385530f build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.6.0 to 22.7.0.
- [Release notes](https://github.com/coreos/go-systemd/releases)
- [Commits](https://github.com/coreos/go-systemd/compare/v22.6.0...v22.7.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-systemd/v22
  dependency-version: 22.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 9abc1824f2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-28 12:08:18 -08:00
Kir Kolyshkin 2a5dff7ea7 internal/systemd: simplify
Remove unused code and argument from the ActivationFiles,
and simplify its usage.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6ede591761)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-28 12:08:06 -08:00
Kir Kolyshkin b0e7359a11 Remove crypto/tls dependency
It appears that when we import github.com/coreos/go-systemd/activation,
it brings in the whole crypto/tls package (which is not used by runc
directly or indirectly), making the runc binary size larger and
potentially creating issues with FIPS compliance.

Let's copy the code of function we use from go-systemd/activation
to avoid that.

The space savings are:

$ size runc.before runc.after
   text	   data	    bss	    dec	    hex	filename
7101084	5049593	 271560	12422237	 bd8c5d	runc.before
6508796	4623281	 229128	11361205	 ad5bb5	runc.after

Reported-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ba9e60f7a8)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-28 12:08:06 -08:00
Rodrigo Campos f5a008c439 Merge pull request #5074 from kolyshkin/1.4-5072
[1.4] CI: fix modernize job failure
2025-12-20 01:23:44 -03:00
Kir Kolyshkin 1b249320aa ci: fix modernize URL
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 428043bcf2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-17 12:34:32 -08:00
Kir Kolyshkin a239670e4b ci: drop -test from modernize run
The modernize documentation used to suggest -test flag but it's not
needed as it is enabled by default. Drop it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit dbc4234607)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 16:52:49 -08:00
Kir Kolyshkin 701561e3f0 ci: use latest Go for modernize job
Since we use modernize@latest, it may require latest Go as well (and now it does),
so use "go-version: stable" explicitly (which resolves to latest Go).

This fixes the issue with CI:

> go: golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest: golang.org/x/tools/gopls@v0.21.0 requires go >= 1.25 (running go 1.24.11; GOTOOLCHAIN=local)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 16ee2bbf4c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 16:52:41 -08:00
Kir Kolyshkin adf07343cf libc/int: use strings.Builder
Generated by modernize@latest (v0.21.0).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 652269729d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 16:52:37 -08:00
Kir Kolyshkin 4e4fd7c9f0 Merge pull request #5062 from loong64/pr-4938-to-release-1.4
[1.4] Add loong64 support in seccomp and PIE
2025-12-15 11:13:03 -08:00
zhaixiaojuan 508d512061 Add loong64 support in seccomp and PIE
Signed-off-by: zhaixiaojuan <zhaixiaojuan@loongson.cn>
(cherry picked from commit 885509afdf)
Signed-off-by: 吴小白 <296015668@qq.com>
2025-12-09 11:15:55 +08:00
Aleksa Sarai fe09117131 merge #5046 into opencontainers/runc:release-1.4
Li Fu Bang (2):
  VERSION: back to development
  VERSION: release 1.4.0

LGTMs: rata cyphar
2025-11-28 10:34:45 +11:00
lifubang ead7182a41 VERSION: back to development
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 02:52:35 +11:00
lifubang 8bd78a9977 VERSION: release 1.4.0
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.4.0
2025-11-28 02:52:35 +11:00
Rodrigo Campos 7d84a1282a Merge pull request #5005 from cyphar/1.4-hallucinated-paths
[1.4] pathrs: add "hallucination" helpers for SecureJoin magic
2025-11-27 12:11:12 -03:00
lfbzhm c362d6bd21 Merge pull request #5040 from cyphar/1.4-better-init-errors-4928
[1.4] Better errors from `runc init`
2025-11-27 10:46:29 +08:00
Kir Kolyshkin f1d0dd8fb3 runc create/run/exec: show fatal errors from init
In case early stage of runc init (nsenter) fails for some reason, it
logs error(s) with FATAL log level, via bail().

The runc init log is read by a parent (runc create/run/exec) and is
logged via normal logrus mechanism, which is all fine and dandy, except
when `runc init` fails, we return the error from the parent (which is
usually not too helpful, for example):

	runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Now, the actual underlying error is from runc init and it was logged
earlier; here's how full runc output looks like:

	FATA[0000] nsexec-1[3247792]: failed to unshare remaining namespaces: No space left on device
	FATA[0000] nsexec-0[3247790]: failed to sync with stage-1: next state
	ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

The problem is, upper level runtimes tend to ignore everything except
the last line from runc, and thus error reported by e.g. docker is not
very helpful.

This patch tries to improve the situation by collecting FATAL errors
from runc init and appending those to the error returned (instead of
logging). With it, the above error will look like this:

	ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF; runc init error(s): nsexec-1[141549]: failed to unshare remaining namespaces: No space left on device; nsexec-0[141547]: failed to sync with stage-1: next state

Yes, it is long and ugly, but at least the upper level runtime will
report it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f944ccecb2)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 17:59:54 -08:00
Kir Kolyshkin 46156624b7 libct/nsenter: better read/write errors
Introduce and use iobail, xread, and xwrite wrappers so that we can
properly check read/write return value and call either bail or bailx on
error, with proper diagnostics (distinguishing failed read/write from a
short read/write).

This prevents the "Success" prefix in errors like:

	failed to sync with stage-1: next state: Success

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6c18b25cdc)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 17:59:54 -08:00
Kir Kolyshkin c4a61c0227 libct/nsenter: sprinkle missing sane_kill
Add a few missing sane_kill calls where they make sense.

Remove one useless sane_kill of stage2_pid, as during SYNC_USERMAP stage2
is not yet started. It is harmless yet it makes the code slightly harder
to read.

Set the child pid to -1 upon receiving SYNC_CHILD_FINISH
to minimize the chances of killing an unrelated process.
When a child sends SYNC_CHILD_FINISH it is about to exit
(although theoretically it could be stuck during debug logging).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit aea52d0ab0)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 17:59:54 -08:00
Kir Kolyshkin 493f1b10fe libct/nsenter: add and use bailx
We use bail to report fatal errors, and bail always append %m
(aka strerror(errno)). In case an error condition did not set
errno, the log message will end up with ": Success" or an error
from a stale errno value. Either case is confusing for users.

Introduce bailx which is the same as bail except it does not
append %m, and use it where appropriate.

The naming follows libc's err(3) and errx(3).

PS we still use bail in a few cases after read or write, even
if that read/write did not return an error, because the code
does not distinguish between short read/write and error (-1).
This will be addressed by the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 067b8335e7)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 17:59:54 -08:00
Kir Kolyshkin 7f9fc53c34 libct/nsenter: save errno in sane_kill
Since sane_kill after a failed read or write, but before reporting the
error from that read or write, it may change the errno value in case
kill(2) fails.

Save and restore the errno around the call to kill.

While at it,
 - change the code to return early;
 - don't return kill return value as no one is using it, and the errno
   value no longer correlates.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9c8f476cb6)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 17:59:54 -08:00
Kir Kolyshkin e18c06bf8e Merge pull request #5041 from lifubang/backport-5014-fd-leaks-flake-1.4
[1.4] libct/int: TestFdLeaks: deflake
2025-11-26 17:57:27 -08:00
Kir Kolyshkin 5bb89872f8 libct/int: TestFdLeaks: deflake
Since the recent CVE fixes, TestFdLeaksSystemd sometimes fails:

	=== RUN   TestFdLeaksSystemd
	    exec_test.go:1750: extra fd 9 -> /12224/task/13831/fd
	    exec_test.go:1753: found 1 extra fds after container.Run
	--- FAIL: TestFdLeaksSystemd (0.10s)

It might have been caused by the change to the test code in commit
ff6fe13 ("utils: use safe procfs for /proc/self/fd loop code") -- we are
now opening a file descriptor during the logic to get a list of file
descriptors. If the file descriptor happens to be allocated to a
different number, you'll get an error.

Let's try to filter out the fd used to read a directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5fbc3bb019)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-26 14:11:41 +00:00
lifubang 6a270e49a3 integration: add some tests for bind mount through dangling symlinks
We intentionally broke this in commit d40b3439a9 ("rootfs: switch to
fd-based handling of mountpoint targets") under the assumption that most
users do not need this feature. Sadly it turns out they do, and so
commit 3f925525b4 ("rootfs: re-allow dangling symlinks in mount
targets") added a hotfix to re-add this functionality.

This patch adds some much-needed tests for this behaviour, since it
seems we are going to need to keep this for compatibility reasons (at
least until runc v2...).

Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 15d7c214cd)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:05:38 +11:00
Aleksa Sarai aa3be89f0d pathrs: add MkdirAllParentInRoot helper
While CreateInRoot supports hallucinating the target path, we do not use
it directly when constructing device inode targets because we need to
have different handling for mknod and bind-mounts.

The solution is to simply have a more generic MkdirAllParentInRoot
helper that MkdirAll's the parent directory of the target path and then
allows the caller to create the trailing component however they like.
(This can be used by CreateInRoot internally as well!)

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 195e9551e4)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:05:38 +11:00
Aleksa Sarai da73ade8da pathrs: add "hallucination" helpers for SecureJoin magic
In order to maintain compatibility with previous releases of runc (which
permitted dangling symlinks as path components by permitting
non-existent path components to be treated like real directories) we
have to first do SecureJoin to construct a target path that is
compatible with the old behaviour but has all dangling symlinks (or
other invalid paths like ".." components after non-existent directories)
removed.

This is effectively a more generic verison of commit 3f925525b4
("rootfs: re-allow dangling symlinks in mount targets") and will let us
remove the need for open-coding SecureJoin workarounds.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit cfb74326be)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:05:38 +11:00
Aleksa Sarai 7bf92b9d6a pathrs: rename MkdirAllInRootOpen -> MkdirAllInRoot
Now that MkdirAllInRoot has been removed, we can make MkdirAllInRootOpen
less wordy by renaming it to MkdirAllInRoot. This is a non-functional
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 20c5a8ec4a)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:05:37 +11:00
Aleksa Sarai c2bde92ce8 libct: switch final WithProcfd users to WithProcfdFile
This probably should've been done as part of commit d40b3439a9
("rootfs: switch to fd-based handling of mountpoint targets") but it
seems I missed them when doing the rest of the conversions.

This also lets us remove utils.WithProcfd entirely, as well as
pathrs.MkdirAllInRoot. Unfortunately, WithProcfd was exposed in the
externally-importable "libcontainer/utils" package and so we need to
have a deprecation notice to remove it in runc 1.5.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9dbd37e06f)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:05:37 +11:00
Aleksa Sarai 50aa47ba69 libcontainer: move CleanPath and StripRoot to internal/pathrs
These helpers will be needed for the compatibility code added in future
patches in this series, but because "internal/pathrs" is imported by
"libcontainer/utils" we need to move them so that we can avoid circular
dependencies.

Because the old functions were in a non-internal package it is possible
some downstreams use them, so add some wrappers but mark them as
deprecated.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 42a1e19d67)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:05:37 +11:00
Akihiro Suda ffc11bcff5 Merge pull request #5034 from lifubang/ci-detect-fdleak-try-best-1.4
[1.4] fix fd leaks and detect them as comprehensively as possible
2025-11-26 12:48:08 +09:00
lifubang e675743f06 integration: verify syscall compatibility after seccomp enforcement
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit d8706501cf)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:53:07 +00:00
lifubang f52ffd18d1 bump github.com/cyphar/filepath-securejoin from 0.6.0 to 0.6.1
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 0127cc650928156cb1fb43a02705926c445ed0c1)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:53:03 +00:00
lifubang 0ec8f1abd5 libct: add a defer fd close in createDeviceNode
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 9a5e6262f0bf4e3e654b1a0d71bb804093948f85)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:53:03 +00:00
lifubang 612dbb942c libct: always close m.dstFile in mountToRootfs
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit e0272886047915899ec06e06665723fc453d3cbf)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:53:03 +00:00
lifubang 9f84cce9ba ci: detect file descriptor leaks as comprehensively as possible
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit ba7f46d7119dc4bf57e2a13017333d1980494ea9)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:53:03 +00:00
lfbzhm 9a05ab7cc2 Merge pull request #5000 from kolyshkin/1.4-check-go
[1.4] check go version from Dockerfile
2025-11-20 17:52:02 +08:00
lfbzhm 2fed6833ff Merge pull request #5011 from kolyshkin/1.4-4948
[1.4] docs/spec-conformance.md: update for spec v1.3.0
2025-11-20 12:46:05 +08:00
Kir Kolyshkin 896c4beaec ci: add checking Go version from Dockerfile
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
 - currently supported;
 - used in CI tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit df4acc8867)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 12:43:40 +08:00
Kir Kolyshkin cb401641e5 ci: faster git clone
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e0b00171eb0f338cf024760019abdd4e7dec690f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 12:43:40 +08:00
Akihiro Suda 77c79c566f docs/spec-conformance.md: update for spec v1.3.0
ref: opencontainers/runtime-spec PR 1302

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 653161f6d8)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 14:16:43 +11:00
lfbzhm f9f0369f1f Merge pull request #5030 from cyphar/1.4-5017-ci-pin-parent-cgroup
[1.4] ci: ensure the cgroup parent always exists for rootless
2025-11-20 09:15:03 +08:00
lifubang 2702f9bfbc ci: ensure the cgroup(v1) parent always exists for rootless
On some systems (e.g., AlmaLinux 8), systemd automatically removes cgroup paths
when they become empty (i.e., contain no processes). To prevent this, we spawn
a dummy process to pin the cgroup in place.
Fix: https://github.com/opencontainers/runc/issues/5003

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit bba7647d09)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-20 03:28:43 +11:00
Akihiro Suda e3bfca3b56 Merge pull request #5004 from cyphar/1.4-pids-limit-0
[1.4] runtime-spec: update pids.limit handling to match new guidance
2025-11-18 13:43:09 +09:00
Kir Kolyshkin c5528aba2f Merge pull request #5006 from cyphar/1.4-deprecate-cgroupv1
[1.4] Deprecate cgroup v1
2025-11-13 13:21:44 -08:00
Akihiro Suda 62014ed9d4 Deprecate cgroup v1
For issue 4955

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 1cdfc0def9)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-12 20:18:54 +11:00
Aleksa Sarai 41e6b4f077 update: switch to generics for mkPtr logic
This is much easier to read and removes the need for explicit per-type
helper functions.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 8ab2458bc4)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-12 20:07:00 +11:00
Aleksa Sarai 88e3b11467 tests: add pids.limit tests
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 72421e0e25)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-12 20:07:00 +11:00
Aleksa Sarai 24dff91a09 runtime-spec: update pids.limit handling to match new guidance
The main update is actually in github.com/opencontainers/cgroups, but we
need to also update runtime-spec to a newer pre-release version to get
the updates from there as well.

In short, the behaviour change is now that "0" is treated as a valid
value to set in "pids.max", "-1" means "max" and unset/nil means "do
nothing". As described in the opencontainers/cgroups PR, this change is
actually backwards compatible because our internal state.json stores
PidsLimit, and that entry is marked as "omitempty". So, an old runc
would omit PidsLimit=0 in state.json, and this will be parsed by a new
runc as being "nil" -- and both would treat this case as "do not set
anything".

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 3b75374cc7)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-12 20:07:00 +11:00
Aleksa Sarai e3fbc19db7 Merge pull request #4995 from kolyshkin/1.4-4970
[1.4] disable golangci-lint cache
2025-11-11 15:04:41 +11:00
lfbzhm 80cfbe4d27 Merge pull request #4976 from cyphar/1.4-tmpfs-mode
[1.4] rootfs: only set mode= for tmpfs mount if target already existed
2025-11-11 09:26:44 +08:00
lfbzhm b604bc8b98 Merge pull request #4980 from cyphar/1.4-selinux-1.13
[1.4] deps: update to github.com/opencontainers/selinux@v0.13.0
2025-11-11 09:24:49 +08:00